[ISN] Stop Him Before He Hacks Again

From: InfoSec News (isnat_private)
Date: Tue Mar 05 2002 - 00:32:18 PST

  • Next message: InfoSec News: "[ISN] Digital Destruction Was Worst Imaginable"

    MARCH 5, 2002 
    By Alex Salkever 
    Adrian Lamo has made quite a name for himself by breaking into
    corporate networks. He has done no harm -- but that's not the issue
    Readers of The New York Times's "op-ed" page regularly find columns
    written by a host of world leaders and celebrities, from Palestinian
    leader Yassir Arafat and former U.S. President Jimmy Carter to hip-hop
    star and talk-show host Queen Latifah. The contact information for
    these luminaries is a closely guarded Times secret, as is the contents
    of the op-ed section's Rolodex.
    Not anymore. The Times op-ed section and its list of contributors were
    recently penetrated by one of the most controversial hackers to emerge
    since Kevin Mitnick, who spent almost five years in prison for
    repeatedly invading computer systems at a slather of high-tech
    outfits. Meet Adrian Lamo, a soft-spoken 21-year-old snoop from San
    Francisco who hacks with nothing more than a laptop, a Web browser,
    and a Net connection at the local coffee shop.
    FRIENDLY WARNING.  Lamo recently broke into the Times computer
    network, where he co-opted contact-information files as well as
    sensitive details of the news-gathering and editing process at the
    Times. His tear through the Gray Lady's closet even gave him the
    ability to change the Web site at one of the world's most powerful
    media organizations with a few key strokes -- an option he didn't
    exercise. Lamo then contacted computer-security publication Security
    Focus Online and asked it to contact the Times on his behalf to
    outline the breach.
    This isn't Lamo's first conquest. In September, 2001, he hacked into
    the content servers at Yahoo! -- and actually did alter a news story
    to demonstrate that he was capable of breaching security. A month
    later, he hacked customer-information databases at software powerhouse
    Microsoft. In December, 2001, he gained access to secret
    network-topography diagrams at voice-and-data carrier WorldCom, going
    so far as to e-mail company officials a supposedly secret file showing
    key locations of network equipment.
    So why hasn't Lamo been prosecuted for computer crimes? In each of
    these cases, he warned the companies about their flaws after-the-fact
    and offered to help fix them for free. Lamo further claims that he has
    accepted no money or compensation from any of his targets, something
    that often happens in the computer-security world, where a consultant
    reporting a breach often gets awarded a contract. Rather than
    condemning him, Lamo's "victims" have mostly praised him for helping
    to secure their networks.
    INTRUDER OR HERO?  So far, the Times has neither condemned nor lauded
    Lamo. "We are currently determining what the appropriate next steps
    will be," was how Times spokesperson Christine Mohan responded to an
    e-mail from BusinessWeek Online. To date, no one has pressed charges.
    Lamo says his main motivation for hacking is mere curiosity. Does that
    make his escapades O.K.? Good question. Herein, two schools of thought
    -- each vehemently expressed in numerous Internet discussions of the
    affair that are still raging today. Let's examine the first, the
    attitude that says Lamo actually provided the Times with a service.
    Fair enough. He did help by alerting the paper to the flaws in its
    networks. And it's quite possible that he saved it from a serious dose
    of egg on its august face -- not to mention a pile of legal fees -- if
    any private information had been hacked. Lamo did all this by walking
    through the equivalent of an unlocked door fronting a very public
    thoroughfare, the Internet. What's more, he hasn't profited from his
    exploits. Nor has he damaged the systems or done any real harm.
    EXTENDED VISITS.  The second school of thought says Lamo should have
    the book thrown at him. Never mind his high-minded intentions or
    curiosity. According to this view's adherents, breaking into a
    company's or an individual's computer is akin to breaking into
    somebody's house. It's illegal, period -- even if the only result is
    that the homeowner now knows how easy it was to commit the crime.
    In some of these cases, Lamo was actually poking around in these
    networks for extended periods. At WorldCom, his sojourn lasted several
    months, yet the telecom had no knowledge of his snooping. Clearly,
    Lamo could have warned these companies. Then there's the potential for
    inadvertent damage to the networks, a real possibility when someone
    who's largely unfamiliar with the intricacies of the system is
    snooping around.
    Besides, why didn't Lamo ask the companies if he could break into
    their networks? They probably wouldn't have said, "Go ahead! Have
    fun." The proper way to enter a house is by knocking on the front
    door, no?
    WHITE-HAT HACKER.  Finally, in each case, Lamo widely publicized what
    he did -- not just to the companies involved, but to the public at
    large. Granted, he did give the companies a chance to fix their
    network problems before he went public with the information. But why
    go public at all unless the goal of the exercise is to broadcast one's
    Lamo is hardly the first to test networks for fun and sport. Many of
    these so-called white-hat hackers turn their skills to the trade of
    information security, where they look for vulnerabilities to gain
    prestige for themselves and their employers. The difference: These
    guys look for vulnerabilities in software products that, for the most
    part, they have legally licensed. As a general rule, they don't poke
    around in networks without being invited.
    When I contacted Lamo on his cell phone (somewhere on public transit
    in San Francisco or Oakland, he told me), he seemed like a pleasant
    enough guy. He wasn't boastful. He conceded that he was operating in a
    gray area and that he could run afoul of the law. He also admitted
    that damaging a network inadvertently was a significant risk during
    his undertakings.
    LETTER VS. SPIRIT.  All in all, it seemed that Lamo was quite
    clear-eyed about what he had done and its implications, although he
    did say he hoped it wouldn't develop into a legal battle. "It would be
    inaccurate to say that I don't care," says Lamo, "and that I feel that
    I'm beyond the law."
    Did Lamo violate the law? Perhaps, if you look at its letter. On the
    Internet, when a perimeter is breached, it's trespassing. But in the
    spirit of the law, companies aren't throwing the book at him -- and
    for good reason. He's telling them things about their networks that
    are very valuable and cost them nothing to learn. And, again, his
    exploits have caused no harm. The "victims" of these victimless crimes
    have allowed him to continue going about his business.
    Part of me admires Lamo. Part of me worries about him. Allowing this
    type of uninvited hacking to go on unchecked is unacceptable. Before
    you know it, Lamo's imitators will proliferate. Soon, hundreds if not
    thousands of people could be rattling the windows of companies'
    computer systems, checking the doors, and wandering through the house.  
    That's hardly the best way to run a digital society.
    APPROPRIATE REMEDIES.  Think of hundreds of garage mechanics hotwiring
    your car and taking it for a test-drive to see if it has any kinks.  
    Even if they don't steal anything, it's a major invasion of privacy.
    This issue has other ways of being resolved without prosecuting Lamo.  
    Perhaps a court should require him to perform community-service
    security work for nonprofits or government agencies. Or maybe he
    should serve as a computer teacher to underprivileged kids. But if he
    commits further transgressions (on top of the many already detailed),
    he should be issued a stern warning by law enforcement.
    Lamo is clearly not a malicious guy. But there's no shortage of good
    work a white-hat hacker could carry out without secretly breaking into
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Tue Mar 05 2002 - 04:11:29 PST